1
b2plane
2y

2 questions:

1. Why would i use keycloak if i can code the same shit by my custom jwt implementation?

2. Is jwt still secure today or should i use oauth2? If jwt is still fine to implement then I'll continue doing it because i know exactly how to implement it. But How can i determine when to use oauth2 vs jwt?

Comments
  • 6
    uh.. jwt and oauth is not the same thing.
    Jwt is a token, oauth2 is a protocol that specifies a token format.

    However, you can use jwt for the bearer token with added authorization header and following some RFC i dont remember. jwt auth does not care, where you got the token from tho.

    Usually it is better to just use oauth2. Yes it is more complex, but it is for a very good reason.
  • 0
    @thebiochemic what is the very good reason for using it?

    Question 3 (since i have to wait 2h before posting another rant):

    Just went over Redis. I understand at least the basics now and how to implement it. So this is like some kind of real time database? What is the difference between redis and graphQL in this case? And also in what scenarios should i be using redis vs normal postresql, kafka streams or graphQL?
  • 4
    1. JWT is just a format. You don't use JWT instead of OAuth, you use it together with OAuth, or any other authorization service

    2. You should use KeyCloak or similar service because you don't want to a) reinvent the wheel, b) risk a security issue, c) mix OAuth implementation with your business logic

    Generally it's strongly recommended, but if you don't really care about security, you can do whatever you want. If you're just gonna issue a JWT you might as well be using Cookies

    3. Redis is a caching server. It's not meant for long term storage. It sits right next to your server and caches your servers responses to requests. In the case the same requests happen in a short term, you can use the cached response instead of accessing your actual database and processing the actual response. This way you save memory and cycles for serving actual new requests instead of re-building the responses to requests you already know.
  • 3
    1. unless you are a seasoned expert, chances are you're gonna do more stuff wrong than keycloak.

    2. two non-comparable things. one defines a data structure, the other a process that _uses_ that data structure. that's like comparing an engine with a car. (which makes me guess that, quite likely, you are _not_ a seasoned expert on the topic, and probably shouldn't roll your own)
  • 0
    @Hazarth

    3. How is the caching mechanism built? What if the 3rd party api (or my own) gets updated, how is the app supposed to know if it should fetch cached (redis) data or fetch brand new data from api?
  • 2
    @b2plane Redis is accessed as a middleware in your own server.

    User request -> (optionally check cache) -> process request -> (optionally cache response) -> response

    It's API agnostic. The 3rd party always hits your API as normal and doesn't know anything about the caching mechanism. It's you that wraps your logic with redis calls. Though usually frameworks can already do this for you. I know Spring and FastAPI definitely supports redis hooks, you just annotate your functions properly and it handles the caching for you automatically. Or you can do it yourself, but at least get a redis library so you don't have to code low level calls for no reason
  • 0
    @Hazarth thank you. I got a new question here now https://devrant.com/rants/6697025/...
  • 1
    Use what you know best, as that'll give least time to market. When people use it and complain, then look at if you should change something.
  • 0
    @atheist and just hope, that people complaining is not "millions of user data stolen"
  • 2
    @thebiochemic if you get to millions of users, you'll have been through half a dozen rewrites by then... Hopefully...
Add Comment